diff options
author | Sage Weil <sage@newdream.net> | 2011-03-29 12:11:06 -0700 |
---|---|---|
committer | Sage Weil <sage@newdream.net> | 2011-03-29 12:11:06 -0700 |
commit | fbdb9190482fd83a3eb20cdeb0da454759f479d7 (patch) | |
tree | bf83dcd6ea13c9a1feedb2a8f79744de93f9fecd | |
parent | 234af26ff123dfb2aa48772124721b1354c8e0a5 (diff) | |
download | op-kernel-dev-fbdb9190482fd83a3eb20cdeb0da454759f479d7.zip op-kernel-dev-fbdb9190482fd83a3eb20cdeb0da454759f479d7.tar.gz |
libceph: fix null dereference when unregistering linger requests
We should only clear r_osd if we are neither registered as a linger or a
regular request. We may unregister as a linger while still registered as
a regular request (e.g., in reset_osd). Incorrectly clearing r_osd there
leads to a null pointer dereference in __send_request.
Also simplify the parallel check in __unregister_request() where we just
removed r_osd_item and know it's empty.
Signed-off-by: Sage Weil <sage@newdream.net>
-rw-r--r-- | net/ceph/osd_client.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c index 03740e8..3b91d65 100644 --- a/net/ceph/osd_client.c +++ b/net/ceph/osd_client.c @@ -837,8 +837,7 @@ static void __unregister_request(struct ceph_osd_client *osdc, dout("moving osd to %p lru\n", req->r_osd); __move_osd_to_lru(osdc, req->r_osd); } - if (list_empty(&req->r_osd_item) && - list_empty(&req->r_linger_item)) + if (list_empty(&req->r_linger_item)) req->r_osd = NULL; } @@ -883,7 +882,8 @@ static void __unregister_linger_request(struct ceph_osd_client *osdc, dout("moving osd to %p lru\n", req->r_osd); __move_osd_to_lru(osdc, req->r_osd); } - req->r_osd = NULL; + if (list_empty(&req->r_osd_item)) + req->r_osd = NULL; } } |